Threat of the Week: NCUA on DDoS

The week’s security headline: The federal regulator has acknowledged that Distributed Denial of Service attacks are potentially a huge issue for credit unions and the upshot is issuance by NCUA of a risk alert offering pointers on mitigation.

Experts have been quick to weigh in with opinions on the usefulness of NCUA’s counsel.

Keep in mind that two credit unions – University Federal Credit Union and Patelco – were knocked down and out by DDoS attacks in January. Others may have suffered attacks. The two that are named were identified in Web postings as victims byIzz ad-Din al-Qassam Cyber Fighters, the Middle Eastern group that has claimed authorship of the recent highly sophisticated takedowns of financial institutions.

DDoS attacks have not typically risen to the threshold of requiring an incident report to NCUA, thus the uncertainty about the victim count.

In its new risk alert, the NCUA urges credit unions that suffer a DDoS attack to file a Suspicious Activity Report, but the SAR filing remains “voluntary.”

The NCUA alert noted that traditional defenses – such as firewalls and intrusion detection systems – “may offer inadequate protection.” Most security experts would amend that to delete the “may,” that is, these defenses offer no meaningful protection against the recent, industrial-scale DDoS attacks.

Ensure incident response programs include a DDoS attack scenario during testing and address activities before, during, and after an attack.

Perform ongoing third-party due diligence, in particular on Internet and Web-hosting service providers, to identify risks and implement appropriate traffic management policies and controls.

At $748 million Texas Trust Credit Union in Mansfield, Texas, security administrator David Naylor said that to his eyes the best part of the NCUA alert is its focus on urging credit unions to take defensive steps before they are attacked.

He added that, based on what he hears in informal conversations at industry conferences, a substantial number of credit unions have meager DDoS defenses. “I am terrified what may happen to some, based on what I have heard,” said Naylor.

Marty Meyer, CEO of Corero, a DDoS mitigation appliance maker, said in an interview that he was disappointed in the NCUA alert: “It comes up short. It does not mandate any mitigation steps. How bad does it have to get before NCUA requires action.”

It potentially could get very bad, because in the NCUA alert is this sentence: “DDoS attacks may also be paired with attempts to steal member funds or data.” That, suggested Meyer, harks back to recent reporting by security blogger Brian Krebs that links a DDoS attack on San Francisco based Bank of the West to a $900,000 looting of an account. The DDoS was unleashed to distract and confuse the bank’s IT staff, suggested Krebs.

That linkage echoes a December alert from the Comptroller of the Currency, pairing DDoS with possible larceny.

Al Pascual, a security expert with Javelin Research, elaborated in an email that the NCUA recommendations were minimal on purpose. “The recommendations made were obviously geared to institutions that can't afford the kind of protection necessary to stymie DDoS attacks. These are fraud mitigation recommendations [that have] little to do with DDoS, but [are] geared rather to limit the possibility of account intrusions.”

Pascual added: “As most CUs are not going to have the budget to stop the volume of network traffic that we've seen in these attacks, and if all the attackers move on with little fanfare or trouble, such an investment could end up being hard to justify.”

Neal Quinn, chief operating officer at Prolexic, a DDoS mitigation firm, said in an interview that his take on the risk alert was that it was for the good: “The best counsel is to turn over DDoS mitigation to third-party firms that can handle it.”

That is the bottom line. Few credit unions, suggest the experts, have in place protections to ward off the large-scale, nation state-linked DDoS attacks that took down the nation’s biggest banks in 2012 and into early 2013. But the question is, do most credit unions need those defenses? The other question: Can they afford them?

Said Naylor, use the NCUA risk alert as “a good opportunity to see how you are prepared. Take a hard look at your defenses.”

Know what would happen were your credit union subjected to a high-powered, industrial-scale DDoS attack and then smart decisions about what to do – or not do – can be made.

But until the possible damages are known, it’s hard to talk what’s right for this institution and what isn’t, said Naylor. “It all starts with a risk assessment.”